Add Enos CI account service quotas limit increase requests to bootstrapping (#18309)

2022-12-12 13:14:38 -05:00 · 2022-12-12 13:14:38 -05:00 · 0c181f8f25
parent 3bf683b872
commit 0c181f8f25
4 changed files with 72 additions and 18 deletions
--- a/enos/README.md
+++ b/enos/README.md
@ -143,9 +143,9 @@ unzipped Vault binary at the `vault_local_binary_path`.

 # CI Bootstrap
 In order to execute any of the scenarios in this repository, it is first necessary to bootstrap the 
-CI AWS account with the required permissions and supporting AWS resources. There are two Terraform
-modules which are used for this purpose, [service-user-iam](./ci/service-user-iam) for the account
-permissions and [bootstrap](./ci/bootstrap) for the supporting resources.
+CI AWS account with the required permissions, service quotas and supporting AWS resources. There are 
+two Terraform modules which are used for this purpose, [service-user-iam](./ci/service-user-iam) for 
+the account permissions, and service quotas and [bootstrap](./ci/bootstrap) for the supporting resources.

 **Supported Regions** - enos scenarios are supported in the following regions: 
 `"us-east-1", "us-east-2", "us-west-1", "us-west-2"`
@ -153,13 +153,16 @@ permissions and [bootstrap](./ci/bootstrap) for the supporting resources.
 ## Bootstrap Process
 These steps should be followed to bootstrap this repo for enos scenario execution:

-### Set up CI service user IAM role
+### Set up CI service user IAM role and Service Quotas
 The service user that is used when executing enos scenarios from any GitHub Action workflow must have 
-a properly configured IAM role granting the access required to create resources in AWS. The
-[service-user-iam](./ci/service-user-iam) module contains the IAM Policy and Role for that grants
-this access. This module should be updated whenever a new AWS resource type is required for a scenario.
-Since this is persistent and cannot be created and destroyed each time a scenario is run, the Terraform
-state will be managed by Terraform Cloud. Here are the steps to configure the GitHub Actions service user:
+a properly configured IAM role granting the access required to create resources in AWS. Additionally,
+service quotas need to be adjusted to ensure that normal use of the ci account does not cause any
+service quotas to be exceeded. The [service-user-iam](./ci/service-user-iam) module contains the IAM 
+Policy and Role for that grants this access as well as the service quota increase requests to adjust 
+the service quotas. This module should be updated whenever a new AWS resource type is required for a 
+scenario or a service quota limit needs to be increased. Since this is persistent and cannot be created 
+and destroyed each time a scenario is run, the Terraform state will be managed by Terraform Cloud. 
+Here are the steps to configure the GitHub Actions service user:

 #### Pre-requisites
 - Access to the `hashicorp-qti` organization in Terraform Cloud.
@ -185,7 +188,6 @@ state will be managed by Terraform Cloud. Here are the steps to configure the Gi
 > cd ./enos/ci/service-user-iam
 > export TF_WORKSPACE=<repo name>-ci-service-user-iam
 > export TF_TOKEN_app_terraform_io=<Terraform Cloud Token>
-> export TF_VAR_aws_ssh_public_key=<public key>
 > export TF_VAR_repository=<repository name>
 > terraform init
 > terraform plan
--- a/enos/ci/service-user-iam/main.tf
+++ b/enos/ci/service-user-iam/main.tf
@ -12,24 +12,22 @@ terraform {
  }
 }

-provider "aws" {
-  region = "us-east-1"
-}
-
 locals {
  enterprise_repositories = ["vault-enterprise"]
  is_ent                  = contains(local.enterprise_repositories, var.repository)
-  ci_account_prefix       = local.is_ent ? "vault-enterprise" : "vault"
+  ci_account_prefix       = local.is_ent ? "vault_enterprise" : "vault"
  service_user            = "github_actions-${local.ci_account_prefix}_ci"
  aws_account_id          = local.is_ent ? "505811019928" : "040730498200"
 }

 resource "aws_iam_role" "role" {
+  provider           = aws.us_east_1
  name               = local.service_user
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
 }

 data "aws_iam_policy_document" "assume_role_policy_document" {
+  provider = aws.us_east_1
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
@ -42,12 +40,14 @@ data "aws_iam_policy_document" "assume_role_policy_document" {
 }

 resource "aws_iam_role_policy" "role_policy" {
-  role   = aws_iam_role.role.name
-  name   = "${local.service_user}_policy"
-  policy = data.aws_iam_policy_document.iam_policy_document.json
+  provider = aws.us_east_1
+  role     = aws_iam_role.role.name
+  name     = "${local.service_user}_policy"
+  policy   = data.aws_iam_policy_document.iam_policy_document.json
 }

 data "aws_iam_policy_document" "iam_policy_document" {
+  provider = aws.us_east_1
  statement {
    effect = "Allow"
    actions = [
--- a/enos/ci/service-user-iam/providers.tf
+++ b/enos/ci/service-user-iam/providers.tf
@ -0,0 +1,19 @@
+provider "aws" {
+  region = "us-east-1"
+  alias  = "us_east_1"
+}
+
+provider "aws" {
+  region = "us-east-2"
+  alias  = "us_east_2"
+}
+
+provider "aws" {
+  region = "us-west-1"
+  alias  = "us_west_1"
+}
+
+provider "aws" {
+  region = "us-west-2"
+  alias  = "us_west_2"
+}
--- a/enos/ci/service-user-iam/service-quotas.tf
+++ b/enos/ci/service-user-iam/service-quotas.tf
@ -0,0 +1,33 @@
+locals {
+  // This is the code of the service quota to request a change for. Each adjustable limit has a
+  // unique code. See, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicequotas_service_quota#quota_code
+  subnets_per_vps_quota = "L-F678F1CE"
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_1" {
+  provider     = aws.us_east_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_2" {
+  provider     = aws.us_east_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_1" {
+  provider     = aws.us_west_1
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_2" {
+  provider     = aws.us_west_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}